Pass the Hash Detection with DDNA Phil Wallisch

  • Slides: 16
Download presentation
“Pass the Hash” Detection with DDNA Phil Wallisch phil@hbgary. com

“Pass the Hash” Detection with DDNA Phil Wallisch phil@hbgary. com

The Need • It is possible for “admin” users to dump LSA hashes on

The Need • It is possible for “admin” users to dump LSA hashes on modern Windows platforms • An attacker can impersonate any user by leveraging a captured hash • No persistent malware is required to perform the attack. We must detect exited tools. • Detect hash dumping/injecting capability in running processes

The Approach • Locate attack remnants in unallocated memory • Identify active processes that

The Approach • Locate attack remnants in unallocated memory • Identify active processes that exhibit hash grabbing characteristics

Attack Tools Examined • Pass-The-Hash (PTH) Toolkit • http: //oss. coresecurity. com/projects/pshtoolkit. html •

Attack Tools Examined • Pass-The-Hash (PTH) Toolkit • http: //oss. coresecurity. com/projects/pshtoolkit. html • Gsecdump • http: //www. truesec. com/Public. Store/catalog/Downloads, 223. aspx • Pwdump 6 • http: //www. foofus. net/fizzgig/pwdump/

Attack Procedure • Platform: Windows XP SP 2 32 bit running in VMWare Workstation

Attack Procedure • Platform: Windows XP SP 2 32 bit running in VMWare Workstation 6. 5. • Two users added to the “administrator” group: ‘attacker’ and ‘victim’ • Victim logs in via a standard interactive session • The “switch user” functionality is executed • Attacker logs in via a standard interactive session • Attacker executes the hash dump functionality of the tool

PTH Toolkit Example

PTH Toolkit Example

Gsecdump Example

Gsecdump Example

Pwdump 6 Example

Pwdump 6 Example

Locate Attack Remnants • External Research: indicates that password hashes should not be present

Locate Attack Remnants • External Research: indicates that password hashes should not be present in virtual memory in their unencrypted form • Internal Testing: performed a pattern matching string search across • 54 memory images from a live corporate environment • 60 malware infected memory images from a lab environment • 3 separate memory images where hash dumping tools were individually run

Locate Attack Remnants (cont. ) • Pattern Used: • "b[a-f. A-F 0 -9]{32}: [a-f.

Locate Attack Remnants (cont. ) • Pattern Used: • "b[a-f. A-F 0 -9]{32}: [a-f. A-F 0 -9]{32}b“ • Word bounded search for two 32 hexadecimal character patterns separated by a colon • Results: • Live corporate images = 0 matches • Malware infected images = 0 matches • Hash dump memory images = 60 matches

Locate Attack Remnants (cont. ) • Conclusion: DDNA should have a hard fact for

Locate Attack Remnants (cont. ) • Conclusion: DDNA should have a hard fact for the presence of a string pattern "b[a-f. A-F 0 -9]{32}: [a-f. A-F 0 -9]{32}b” in any location in memory including unallocated space. This hard fact indicates evidence of an unencrypted LSA hash in memory on a system of interest. This technique is a tool agnostic approach to discovering LSA tampering.

Active Processes Detection Goals: • Modules with LSA hash dumping capabilities • Modules with

Active Processes Detection Goals: • Modules with LSA hash dumping capabilities • Modules with LSA hash injecting capabilities Solution: • DDNA traits covering PTH techniques • Naming convention of DDNA traits: PTH_X where “X” = trait number

LSASS Injection - PTH_1 • DDNA PTH_1 Research: • Regex Pattern: (virtualalloc|creater emotethread|lsass. exe)

LSASS Injection - PTH_1 • DDNA PTH_1 Research: • Regex Pattern: (virtualalloc|creater emotethread|lsass. exe) • Translate to AND logic in DDNA iam-alt. exe

LSASS Injection - PTH_1 (cont. ) gsecdump. exe pwdump 6. exe

LSASS Injection - PTH_1 (cont. ) gsecdump. exe pwdump 6. exe

LSASRV. DLL Loading - PTH_2

LSASRV. DLL Loading - PTH_2

Active Processes Conclusion DDNA Traits Required: • PTH_1: Hash Injection : Identify LSASS DLL

Active Processes Conclusion DDNA Traits Required: • PTH_1: Hash Injection : Identify LSASS DLL injection : I“Virtual. Alloc"ku AND I“Create. Remote. Thread”ku AND I”lsass. exe”ku • PTH_2: Hash Dumping : Identify LSASRV. DLL access : I”lsasrv. dll”ku NOT N”svchost. exe” NOT N”lsass. exe”

DDNA 2 0 Purpose Provide a DDNA scoreDDNA 2 0 Purpose Provide a DDNA score
1 File Hash Konsep File Hash Fungsi Hash1 File Hash Konsep File Hash Fungsi Hash
Hash Function 1 Contents Hash Functions Dedicated HashHash Function 1 Contents Hash Functions Dedicated Hash
Funes Hash Funao Hash Uma funo hash umFunes Hash Funao Hash Uma funo hash um
Cryptographic Hash Functions Hash Function The hash valueCryptographic Hash Functions Hash Function The hash value
the hash table 1 hash table hash tablethe hash table 1 hash table hash table
Hash Functions 1 Hash Functions A hash functionHash Functions 1 Hash Functions A hash function
Hash Tables Hash Function A hash function hHash Tables Hash Function A hash function h
1 File Hash Konsep File Hash Fungsi Hash1 File Hash Konsep File Hash Fungsi Hash
Le Pass Simple Le Pass Simple Le passLe Pass Simple Le Pass Simple Le pass
PROJECT PASS What is Project PASS Project PASSPROJECT PASS What is Project PASS Project PASS
Array pass by value Pass by Reference passArray pass by value Pass by Reference pass
Forward Backward Pass Forward Backward Pass Forward passForward Backward Pass Forward Backward Pass Forward pass
PASS COMPOS FRANCIA PASS COMPOS A Pass composPASS COMPOS FRANCIA PASS COMPOS A Pass compos
Le pass rcent Conjugaison PASS PRSENT PASS RCENTLe pass rcent Conjugaison PASS PRSENT PASS RCENT